[apparmor] [PATCH] DBus man page updates v2

Tyler Hicks tyhicks at canonical.com
Mon Apr 1 21:54:15 UTC 2013 

On 2013-03-25 15:29:02, Jamie Strandboge wrote:
> On 03/25/2013 02:04 PM, Jamie Strandboge wrote:
> > Attached is a patch to update the apparmor.d man page for DBus. While
> > the current behavior is to have 'address=' optional when specifying the
> > address, based on IRC discussion this is likely to change. This patch
> > treats 'address=' as mandatory when specifying an address. Also, I
> > didn't dive into the code, so the BNF may need some tweaking.
> > 
> > This patch should be applied when DBus is supported by the parser.
> > 
> 
> Based on IRC discussions, 'address=' is being changed to 'dest='. This
> patch updates that, clarifies what 'dest' is and adds some example rules.
> 
> Acked-By: Jamie Strandboge <jamie at canonical.com>
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/

> === modified file 'parser/apparmor.d.pod'
> --- parser/apparmor.d.pod	2012-04-11 21:34:22 +0000
> +++ parser/apparmor.d.pod	2013-03-25 20:26:23 +0000
> @@ -3,7 +3,7 @@
>  #                  2008, 2009
>  #    NOVELL (All rights reserved)
>  #
> -#    Copyright (c) 2010 - 2012
> +#    Copyright (c) 2010 - 2013
>  #    Canonical Ltd. (All rights reserved)
>  #
>  #    This program is free software; you can redistribute it and/or
> @@ -54,7 +54,7 @@
>  
>  B<TEXT> = any characters
>  
> -B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | I<MOUNT RULE> | I<FILE RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
> +B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | I<MOUNT RULE> | I<DBUS RULE> | I<FILE RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
>  
>  B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
>  
> @@ -99,6 +99,24 @@
>  
>  B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
>  
> +B<DBUS RULE> = [ 'audit' ] [ 'deny' ] 'dbus' [ I<DBUS BUS> ] [ I<DBUS DEST> ] [ I<DBUS PATH> ] [ I<DBUS INTERFACE> ] [ I<DBUS METHOD> ] [ I<DBUS ACCESS EXPRESSION> ]
> +
> +B<DBUS BUS> = 'bus' '=' ( 'system' | 'session' | '"' I<AARE> '"' | I<AARE> )
> +
> +B<DBUS DEST> = 'dest' '=' ( '"' I<AARE> '"' | I<AARE> )
> +
> +B<DBUS PATH> = 'path' '=' ( '"' I<AARE> '"' | I<AARE> )
> +
> +B<DBUS INTERFACE> = 'interface' '=' ( '"' I<AARE> '"' | I<AARE> )
> +
> +B<DBUS METHOD> = 'method' '=' ( '"' I<AARE> '"' | I<AARE> )
> +
> +B<DBUS ACCESS EXPRESSION> = '(' I<DBUS ACCESS LIST> ')'
> +
> +B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS>
> +
> +B<DBUS ACCESS> = ( 'send' | 'receive' | 'acquire' | 'bind' )

I think we should drop 'bind' from this list since we don't list the
aliases for send and receive (write and read, respectively).

> +
>  B<AARE> = B<?*[]{}^> (see below for meanings)
>  
>  B<FILE RULE> = I<RULE QUALIFIER> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> ','
> @@ -625,6 +643,41 @@
>  
>  =back
>  
> +=head2 DBus rules
> +
> +AppArmor supports DBus mediation. The mediation is performed in conjunction
> +with the DBus daemon. The DBus daemon verifies that communications over the
> +bus are permitted by AppArmor policy.
> +
> +AppArmor DBus rules are accumulated so that the granted DBus permissions are
> +the union of all the listed DBus rule permissions.
> +
> +AppArmor DBus rules are broad and general and become more restrictive as
> +further information is specified. Policy may be specified down to the method
> +level, however the contents of messages are not examined.
> +
> +When writing DBus rules, keep in mind that 'acquire' is synonymous with 'bind'
> +and 'dest' specifies the DBus connection name/unique bus name to receive the
> +message. Eg:

We can also drop the bit about acquire and bind here since there's no
need to mention bind in this man page. So, this paragraph would turn
into:

 +When writing DBus rules, keep in mind that 'dest' specifies the DBus
 +connection name/unique bus name to receive the message. Eg:

I'm going to send out a v3 of this man page patch with these two changes
and some other updates to the text to reflect some changes that I just
made to the dbus rule parser.

Tyler

> +
> +    # Allow all DBus access
> +    dbus,
> +
> +    # Deny access to the system bus for a particular interface
> +    deny dbus bus=system
> +              interface=com.example.ExampleInterface,
> +
> +    # Allow send/receive access for a particular destination,
> +    # object path, interface and method:
> +    dbus bus=session
> +         dest=com.example.ExampleName
> +         path=/com/example/sample/object/name
> +         interface=com.example.Interface
> +         method=ExampleMethod
> +         (send, receive),
> +
> +=back
> +
>  =head2 Variables
>  
>  AppArmor's policy language allows embedding variables into file rules
> 




> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130401/847322ea/attachment.pgp>

More information about the AppArmor mailing list